Let's imagine somewhere someone's using Framer Studio to prototype the 'next big thing' ... you know, the next Facebook, Google, you name it. In order to get some feedback from his trustworthy mentor on his awesome prototype, this fellow decides to show it to him a Framer 'Share'-link.

That's how his (potential) multitrillion dollar idea ended up on some random AWS server - theoretically being accessible by anyone with an internet connection.

So, legal and moral concerns aside, how cool would it be to to guess the resulting share-link (http://share.framerjs.com/XxXxXxXxXxXx/) and rake in those quadrillions in venture capital before he can? Cool enough to think this through, right?

Right.

###########################################################

#1) Basics:

Framer's 'Share'-links consist of a static (http://share.framerjs.com/) and a semi-randomly generated part, which consist of 12 upperLowerAlphanumerical characters (example: sL1i6jl35vya).

Using this entropy, we can now calculate the total number of all possible, unique 'Share'-links:

2^71.4503557246 = 3.226.266.762.397.899.821.056

In other words, there are ‚3 sextillion something‘ or ‚3 thousand billion billion something something‘ unique links! To put that number in perspective, astronomers and astrophysicists assume there are between 120 to 300 sextillion stars in the observable universe.

###########################################################

#3) How long would it take us to guess the one link we're interested in?

In order to answer this question, we first need to establish a number of guesses we can make in a given timeframe.

While running some tests under real conditions, I was able check about 200 guesses ( = 'XMLHttpRequests') per minute:

35 trillion - 34.637.471.569.670 to be exact! - years to check every possible 'Share'-link for the wanted prototype.

Now, I have some good and bad news for you!

* Let's start with the good one:If you're insanely, stupidly, win-two-lotteries-in-a-row-ballpark-times-5.5-lucky, you could eventually guess the correct URL in your lifetime - or even more unlikely - on your first try.

* The bad one:If you're not that lucky, or not lucky at all, chances are, the universe will freeze up, evaporate or rip apart before you'll be able to find the one link.

###########################################################

#4) Conclusion:

As you can see, brute-guessing Framer links is *not really* a viable (business) strategy and I'd suggest coming up with some own, original multibazillion dollar ideas instead ;)

But then again, people also still do lottery, so ...

###########################################################

#5) Bonus: How long would it take to guess ANY valid Framer link?

Let's assume there are currently 250.000 prototypes on the AWS servers:

3.226.266.762.397.899.821.056 possible strings / 250.000 shared prototypes = every 1.290.506.704.959.159th string, out of all possible, is currently in use.

That's still an insanely large number by any measure and it would take you about 12,2 milllion years on average to guess a valid link! And even then, you'd probably dig up an useless(?) prototype like this one here: http://share.framerjs.com/78cnvjvgfsx2/ ;)

B) As far as I can tell, the current bottleneck of verifying brute-guessed 'Share'-link is the connection speed to the AWS servers.

As connection speeds and the number of shared Framer files will increase in the foreseeable future, the chance of guessing a random 'Share'-link will increase accordingly (#5).

C) Detecting conspicuous 'XMLHttpRequests' and (temp)banning IPs from doing so AND/OR capping the said requests in a given timeframe would make it virtually impossible to bruteforce-guess a link.

D) Guys, be sure to ALWAYS check the content of your 'imported'-folder and your backups (/framer/backups/) before sharing a potential sensitive file!

Koen, Jorn : Talking about this very topic, maybe it would be helpful if you could a list (or some sort of filebrowser) to the "Are you sure you want to share this project?"-prompt, which should show all the non-framer files (imported assets, etc.), saying: "Hey, do you really want to share all these files?"

8 Comments

Alex Bystrov

Wanted to calculate this myself for months, never had time though. Finally feel all safe and comfy, thank you, sir

Maurice Zur Weide

I use the share function myself. I see the url generation as convenience but definately not as security feature. This is for me an example of security through obscurity and therefor potentially easily broken. I love Framer but I am pretty sure no company likes the share function. Good for us, there are also other ways to safely distribute really sensitive prototypes...

Koen Bok

"Security through obscurity" is exactly what this is. There is statistically no chance you will ever guess a url. Much of your private data is protected like this by for example Dropbox or Google Photos.

Adding passwords is something we'd like to do, but more for deleting and managing stuff yourself, we don't think it will provide that much better security, but it will definitely give that perception which can be important.

The downside is that when we start storing passwords large companies will mark us as a saas provider, and we'll have to go through stringent IT audits.

Marc Krenn

Updated OP.

Игорь Растворов

Yes, password protection would be great

Tisho Georgiev

How about having the shared prototypes expire after a period of time (controlled by the user)?

Ben Rodenhäuser

The simplicity of the share button is something I would not want to miss. :-) Perhaps it would be enough to give users (not sure where) a hint that there are other ways of sharing for sensitive prototypes. I think the main issue here is perception of security on the side of the client, as Koen mentioned. There are clients for whom "putting a hidden link on the internet" is indistinguishable from "putting a link in the local newspaper".

Игорь Растворов

Just password protection. Instead of the alert saying "Do you really want to share your prototype..." place "Add password protection?". :)Something like that.